more defensiveness

Signed-off-by: clux <[email protected]>
kube-rs · Oct 21, 2023 · 8db9232 · 8db9232
1 parent 0a3b5e8
commit 8db9232
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 13 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -158,11 +158,18 @@ jobs:
           path: /tmp
       - name: Load docker image from tarball
         run: docker load --input /tmp/image.tar
-      - run: helm template charts/doc-controller --set version=latest | kubectl apply -f -
+      - run: |
+          apiserver="$(kubectl get endpoints kubernetes -ojson | jq '.subsets[0].addresses[0].ip' -r)"
+          helm template charts/doc-controller \
+            --set version=latest \
+            --set networkPolicy.enabled=true \
+            --set networkPolicy.apiserver.0=${apiserver}/32 \
+            | kubectl apply -f -
       - run: kubectl wait --for=condition=available deploy/doc-controller --timeout=30s
       - run: kubectl apply -f yaml/instance-samuel.yaml
       - run: sleep 2 # TODO: add condition on status and wait for it instead
       # verify reconcile actions have happened
+      - run: kubectl get netpol doc-controller -oyaml
       - run: kubectl logs deploy/doc-controller
       - run: kubectl get event --field-selector "involvedObject.kind=Document,involvedObject.name=samuel" | grep "HideRequested"
       - run: kubectl get doc -oyaml | grep -A1 finalizers | grep documents.kube.rs

diff --git a/charts/doc-controller/templates/networkpolicy.yaml b/charts/doc-controller/templates/networkpolicy.yaml
@@ -28,14 +28,13 @@ spec:
 
   # Kubernetes apiserver access
   - to:
-    - namespaceSelector:
-        matchLabels:
-          name: default
+    - ipBlock:
+    {{- range .Values.networkPolicy.apiserver }}
+        cidr: {{ . }}
+    {{- end }}
     ports:
     - port: 443
-      protocol: TCP
     - port: 6443
-      protocol: TCP
 
   {{- if .Values.networkPolicy.dns }}
   # DNS egress

diff --git a/charts/doc-controller/templates/rbac.yaml b/charts/doc-controller/templates/rbac.yaml
@@ -24,7 +24,8 @@ metadata:
 rules:
   - apiGroups: ["kube.rs"]
     resources: ["documents", "documents/status", "documents/finalizers"]
-    verbs: ["get", "list", "watch", "patch", "update"]
+    #verbs: ["get", "list", "watch", "patch", "update", "delete"]
+    verbs: ["*"]
   - apiGroups: ["events.k8s.io"]
     resources: ["events"]
     verbs: ["create"]

diff --git a/charts/doc-controller/values.yaml b/charts/doc-controller/values.yaml
@@ -38,6 +38,10 @@ tracing:
 networkPolicy:
   enabled: true
   dns: true
+  # How to reach the apiserver
+  # Takes addresses from "kubectl get endpoints kubernetes -n default"
+  apiserver:
+  - "10.0.0.0/24" # Wide-open default
   prometheus:
     enabled: true
     namespace: monitoring

diff --git a/yaml/deployment.yaml b/yaml/deployment.yaml
@@ -20,14 +20,11 @@ spec:
 
   # Kubernetes apiserver access
   - to:
-    - namespaceSelector:
-        matchLabels:
-          name: default
+    - ipBlock:
+        cidr: 10.0.0.0/24
     ports:
     - port: 443
-      protocol: TCP
     - port: 6443
-      protocol: TCP
   # DNS egress
   - to:
     - podSelector:
@@ -72,7 +69,8 @@ metadata:
 rules:
   - apiGroups: ["kube.rs"]
     resources: ["documents", "documents/status", "documents/finalizers"]
-    verbs: ["get", "list", "watch", "patch", "update"]
+    #verbs: ["get", "list", "watch", "patch", "update", "delete"]
+    verbs: ["*"]
   - apiGroups: ["events.k8s.io"]
     resources: ["events"]
     verbs: ["create"]